b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2007\n\n\n\n                                       September 4, 2007\n\n                              Reference Number: 2007-20-186\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                             Background\n\nThe Federal Information Security Management Act (FISMA)1 requires each Federal\nGovernment agency to report annually to the Office of Management and Budget on the\neffectiveness of its security programs. In addition, the FISMA requires that each agency shall\nhave performed an annual independent evaluation of the information security program and\npractices of that agency. In compliance with the FISMA requirements, the Treasury Inspector\nGeneral for Tax Administration performs the annual independent evaluation of the security\nprogram and practices of the Internal Revenue Service.\nThe Office of Management and Budget provides information security performance measures by\nwhich each agency is evaluated for the FISMA review. The Office of Management and Budget\nuses the information from the agencies and independent evaluations to help assess\nagency-specific and Federal Government-wide security performance, develop its annual security\nreport to Congress, assist in improving and maintaining adequate agency security performance,\nand assist in the development of the E-Government Scorecard under the President\xe2\x80\x99s Management\nAgenda.\nAttached is the Treasury Inspector General for Tax Administration Fiscal Year 2007 FISMA\nreport. The report was forwarded to the Treasury Inspector General for consolidation into a\nreport issued to the Department of the Treasury\xe2\x80\x99s Chief Information Officer.\n\n\n\n\n1\n    The FISMA is part of the E-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002).\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                              September 4, 2007\n\n\n MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE TREASURY INSPECTOR GENERAL\n\n\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n SUBJECT:                     Treasury Inspector General for Tax Administration \xe2\x80\x93\n                              Federal Information Security Management Act Report for\n                              Fiscal Year 2007\n\n We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\n Information Security Management Act (FISMA)1 report for Fiscal Year 2007. The FISMA\n requires the Office of Inspector General to perform an annual independent evaluation of\n information security policies, procedures, and practices and compliance with FISMA\n requirements. As such, this report presents the results of our independent evaluation of the\n Internal Revenue Service\xe2\x80\x99s (IRS) information technology security program.\n We based our evaluation on the Office of Management and Budget (OMB) FISMA reporting\n guidelines for 2007 and the answers to the questionnaire published with the OMB guidelines\n (see Attachment I). During the 2007 evaluation period2, we also conducted 12 audits to evaluate\n the adequacy of information security in the IRS (see Attachment II). We considered the results\n of those audits when making our assessment.\n The IRS has made steady progress in complying with FISMA requirements since enactment of\n the FISMA in 2002, and it continues to place a high priority on efforts to improve its security\n program. During 2007, the IRS Modernization and Information Technology Services\n organization Cybersecurity office, the Security Program Management Office representatives\n from each IRS operating unit, and the Modernization and Information Technology Services\n organization Information Technology Security Council have partnered to improve the IRS\xe2\x80\x99\n\n 1\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n 2\n  The FISMA reporting period for the Department of the Treasury is July 1, 2006, through June 30, 2007. Hereafter,\n all references to 2007 refer to the FISMA evaluation period.\n\x0ccompliance with the FISMA. Efforts continued this year to develop an enterprise-wide approach\nto help employees understand their responsibilities for securing IRS systems and data. A\nworking group3, with participation from all of the IRS business units, continued its weekly\nmeetings to plan and refine processes for FISMA compliance. The IRS also continued to work\nclosely in seeking guidance and concurrence on FISMA issues with the Treasury Inspector\nGeneral for Tax Administration and the Department of the Treasury Acting Chief Information\nOfficer to improve compliance with the National Institute of Standards and Technology (NIST)4\nand FISMA requirements.\nTo complete our review, we evaluated a representative sample of 20 IRS information systems to:\n        \xe2\x80\xa2   Determine whether the systems are certified and accredited and to evaluate the quality\n            of the certification and accreditation process, including annual testing of security\n            controls.\n        \xe2\x80\xa2   Determine whether security controls had been tested within the last year and to\n            evaluate the quality of the annual testing.\n        \xe2\x80\xa2   Evaluate the quality of the Plan of Action and Milestones (POA&M) process.\n        \xe2\x80\xa2   Determine whether Information Technology Contingency Plans had been adequately\n            tested within the last year.\nWe conducted separate tests to evaluate processes for configuration management, incident\nreporting, awareness training, and ensuring the privacy of sensitive information.\nOur evaluation of the IRS\xe2\x80\x99 2007 performance against specific OMB security measures and our\naudit work performed during the 2007 evaluation period show that the IRS still needs to do more\nto adequately secure its systems and data. The most significant areas of concern are annual\ntesting of security controls and contingency plans, implementation of configuration management\nstandards, and privacy requirements for protecting personally identifiable information.\nAttachment I provides our responses to the OMB FISMA questions for the Inspector General.\nWe are confident the IRS\xe2\x80\x99 systems inventory is substantially complete, the POA&M process is\nadequate to ensure the remediation of security weaknesses, and policies and procedures are\nfollowed for reporting computer security incidents. Provided in this document are security\nperformance improvements as well as areas that require additional attention.\nCertification and Accreditation The quality of the certification and accreditation process is\nsatisfactory; however, not all systems are currently certified and accredited.\nThe OMB guidelines for minimum security controls in Federal Government information systems\nrequire that all systems be certified and accredited every 3 years or when major system changes\noccur. The NIST provides guidelines for conducting the certifications and accreditations.\n\n\n\n3\n IRS Security Program Management Office Council.\n4\n The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements for providing adequate information security for all Federal Government agency operations\nand assets.\n                                                                                                                 2\n\x0cIn 2006, we reported that the IRS had implemented a satisfactory certification and accreditation\nprocess. Because of budget constraints, the IRS planned to implement its process over 3 years.\nFor 2007, the IRS continued to apply this process and is on track to meet its goal by the end of\nthe 2008 FISMA reporting period.\nWe evaluated the quality of the certification and accreditation process for all 5 of the systems in\nour sample of 20 that were certified and accredited during the 2007 FISMA reporting period.\nWe determined that all five systems were properly certified, and all but one were accredited in\naccordance with NIST guidelines.\nThe certification documentation for each system included a:\n       \xe2\x80\xa2   System Security Plan that documented an appropriate set of security controls.\n       \xe2\x80\xa2   Security Test and Evaluation of all applicable controls using appropriate assessment\n           procedures to determine whether the controls were implemented and operating as\n           intended.\n       \xe2\x80\xa2   Security Assessment Report to inform the system owner of the remaining security\n           weaknesses and risks.\n       \xe2\x80\xa2   POA&M for tracking the identified security control weaknesses.\nHowever, the NIST Guidelines for the Security Certification and Accreditation of Federal\nInformation Systems (Special Publication 800-37) state that a critical aspect of the security\ncertification and accreditation process is the post-accreditation period involving the oversight\nand monitoring of the information system\xe2\x80\x99s security controls. OMB guidelines state that\ncontinuous monitoring of security controls is required as part of the certification and\naccreditation process to ensure controls remain effective over time. The IRS did not make\nsufficient progress this year in properly implementing annual testing of security controls as part\nof its continuous monitoring efforts. Accordingly, we could rate the certification and\naccreditation process no higher than satisfactory.\nThe OMB also requires the Inspector General to report on the number of systems certified and\naccredited in our sample. We are reporting that 15 (75 percent) of the 20 systems in our sample\nwere certified and accredited. One system was certified in May 2007 but was not accredited by\nJune 30, 2007, the end of the FISMA reporting period. The other four systems were certified\nprior to 2006 before the IRS changed its process. These systems were certified and accredited\nbased solely on their underlying general support systems, which does not meet the OMB\nrequirements.\nIn prior years, when making our assessment of the number of systems certified and accredited,\nwe considered any system with an authorization to operate to be certified and accredited\nregardless of the quality of the process. This year, to be consistent with the Department of the\nTreasury Inspector General methodology, we considered the number of systems with satisfactory\ncertifications and accreditations in making our assessment. Because we changed our\nmethodology in addressing this issue, the percentage of systems with certifications and\naccreditations appears to have dropped from 100 percent in the 2006 FISMA reporting period,\nwhen in fact the number of satisfactory certifications and accreditations has steadily increased\nsince 2006.\n                                                                                                      3\n\x0cAnnual Testing of Security Controls As previously stated, the IRS did not make sufficient\nprogress in implementing annual testing of security controls. The NIST requires system owners\nto select and test an appropriate and applicable set of security controls every year throughout the\nsystem life cycle but not necessarily to the same extent required for a certification. NIST and\nDepartment of the Treasury guidelines state that, for selecting a subset of controls for annual\ntesting, the first priority should be controls for which a weakness was corrected and closed off of\na POA&M. The second priority should be the selection of highly volatile controls, the\neffectiveness of which is most likely to change over time.\nThe IRS met annual testing requirements on only 5 (25 percent) of the 20 systems we reviewed.\nWe consider these systems as having met the requirement because they were tested during the\ncertification process. For those systems that were not certified during the year, annual testing\nwas conducted; however, the testing was not in compliance with NIST guidelines.\nFor the 15 systems that did not meet the annual testing requirements, the following weaknesses\nin the annual testing of controls demonstrate a lack of understanding by the system owners of the\npurpose of the requirements:\n       \xe2\x80\xa2   The system owners requested the assistance of the Cybersecurity office to help them\n           meet their annual testing requirements. In response, the Cybersecurity office\n           provided a standard list of controls to test for each system, based on the risk\n           categorization of the system. Specifically, 13 high-volatility controls were\n           preselected and required to be reviewed for moderate-impact systems, and 8 high-\n           volatility controls were selected for the review of low-impact systems. This process\n           is not consistent with NIST guidelines, and Department of the Treasury guidance that\n           states system owners must select an appropriate set of controls to be tested for their\n           systems. Many of the controls required by the Cybersecurity office were not\n           applicable to the 15 systems; nonetheless, the system owners included them in their\n           continuous monitoring plans and then stated in the testing documentation that they\n           were not applicable. Controls that are not applicable to the system do not require\n           testing and should not be included in the continuous monitoring plans.\n       \xe2\x80\xa2   The requirement to include closed POA&M weaknesses in the continuous monitoring\n           plan was not appropriately addressed by system owners. The purpose of this\n           requirement is to verify whether the weaknesses were adequately addressed before\n           being closed off the POA&M as completed. The continuous monitoring plans for 3\n           of the 15 systems included the selection of closed POA&M weaknesses for testing.\n           However, system owners for two of the three systems included closed POA&M\n           weaknesses that were not applicable to the system and required no testing. The\n           continuous monitoring plan for one of the three systems included security\n           certification and security accreditation, which had been closed off the system\n           POA&M; however, these controls do not require testing to verify whether they are\n           operating as intended and should not have been included in the continuous monitoring\n           plan.\n       \xe2\x80\xa2   The continuous monitoring plans for 5 of the 15 systems included controls selected\n           by the system owners that were in addition to those required by the Cybersecurity\n           office and any closed POA&M control weaknesses. However, some of the controls\n                                                                                                   4\n\x0c             selected were not appropriate for inclusion in a continuous monitoring plan. For\n             example, organizational common controls were selected for one system. Common\n             controls are not the responsibility of the system owner; therefore, these should not be\n             included in a continuous monitoring plan. Other controls selected were known\n             security weaknesses that had been identified when the system was certified in May\n             2006.\n         \xe2\x80\xa2   Controls that were appropriately included in the continuous monitoring plans were\n             not always sufficiently tested to support the \xe2\x80\x9cpassing\xe2\x80\x9d test results or to identify\n             potential security control weaknesses. For example, we identified controls with\n             passing results; however, the assessments of the controls were based on the controls\n             being included in the Internal Revenue Manual or in the System Security Plan rather\n             than testing of the controls to determine whether they were operating as intended.\nWhile system owners have documented that all 15 systems were tested and evaluated this year,\nthe selection of the controls to be tested and the quality of the testing were insufficient to (1)\napprise the system owners of the status of security controls in their systems and (2) identify\ncontrols that may not be operating as intended to protect the systems and data.\nInformation Technology Contingency Plan Testing The IRS made progress in 2007 in\nmeeting the Federal Government requirement for annual testing of contingency plans. However,\nadditional efforts are needed. The OMB requires that all information technology contingency\nplans be tested at least annually. The NIST requires that key aspects of contingency plans be\ntested for systems with moderate- and high-impact levels for the availability control objective.\nGuidance in the IRS FISMA Handbook states that tabletop5 testing can be done for low-impact\nsystems. Department of the Treasury guidance states that tabletop testing alone is not sufficient\nfor testing the contingency plans of moderate- and high-impact systems; functional6 testing is\nalso required. The guidance states that testing of the backup process is an example of a\nfunctional test.\nBased on the above guidelines and requirements, we determined contingency plans for\n14 (70 percent) of the 20 IRS systems we reviewed were properly tested. The contingency plan\nfor one of the other six systems was not tested at all. Contingency plans for two systems were\nevaluated inadequately because they were tested using only a tabletop exercise. In addition,\ncontingency plans for three systems were improperly tested because the functional testing of the\nbackup process was incomplete. Department of the Treasury guidance describes backup process\ntesting as a multistep test beginning with confirming that backup tapes are made. To fully test\nthe process, bureaus must also verify whether the backup tape data are valid and retrievable. The\nIRS performed only the first step of the backup test process for these three systems.\nSecurity Configuration Policies The primary security goal of configuration management is\nensuring changes to the system do not unintentionally or unknowingly diminish security. The\nOMB requires agencies to have configuration guides in place to ensure the consistent\n\n5\n  Participants in tabletop exercises walk through the contingency plan procedures to ensure the documentation\nreflects the ability to adequately perform the tasks outlined without any recovery operations actually occurring. A\ntabletop exercise is also known as a classroom exercise.\n6\n  A functional exercise is more extensive than a tabletop exercise and includes the simulation of an emergency.\n                                                                                                                      5\n\x0cimplementation of software across the agency. The IRS has an agency-wide security\nconfiguration policy but needs to do more to ensure information systems apply common security\nconfigurations established by the NIST.\nThe IRS provided test results that demonstrated an overall rate of 71 percent to 80 percent for\nimplementing security configurations on all of the types of software it uses for which security\nconfigurations are provided by the NIST. For the individual types of software, the\nimplementation rates range from a high of 99 percent to a low of 12 percent.\nIn 2007, we evaluated configuration management controls for database software used by the\nIRS7. We found that standard database security configurations were not adequately implemented\nbecause the configurations were poorly communicated, security roles and responsibilities were\nnot assigned or carried out, and tests to detect noncompliance with standard configurations were\ninadequate. Improperly configured database software could make the IRS network vulnerable to\ndisruptions of service and theft of sensitive information by hackers, employees, and contractors.\nAwareness Training The IRS provided security awareness training to over 98 percent of its\nemployees. We also found that awareness training had been provided to more than 92 percent of\nits contractor staff, a significant improvement over last year when only 43 percent of contractor\nstaff was trained. Awareness training is critical to ensuring employees understand how to\nproperly use and protect the information technology resources entrusted to them. However, the\nIRS needs to improve employees\xe2\x80\x99 awareness of techniques hackers could use to persuade them to\nreveal their user names and passwords.\nDuring the evaluation period, we conducted an audit to evaluate the susceptibility of IRS\nemployees to social engineering8 attempts that could be used by hackers to gain access to IRS\nsystems.9 We found the IRS needs to enhance its security awareness program to increase\nemployees\xe2\x80\x99 awareness of social engineering techniques and the importance of protecting their\nusernames and passwords. In a March 2007 audit test, posing as help desk employees, we were\nable to convince 60 percent of 102 employees tested to provide us with their usernames and to\ntemporarily change their passwords to ones we suggested.\nPrivacy Requirements During the past year, the IRS continued to take actions to conduct\nevaluations for all systems and applications that collect personal information. We determined a\nPrivacy Impact Assessment10 was prepared for all systems in our representative sample of\n20 systems. The Office of Privacy has standard operating procedures and has submitted revised\nguidelines for processing Privacy Impact Assessments.\n\n\n\n7\n  See Attachment II, Report 11.\n8\n  A method used to circumvent existing computer security controls by exploiting the human element to obtain\nsensitive information that can be used to access computer resources and data.\n9\n  See Attachment II, Report 9.\n10\n   This is an analysis of how personal information is collected, stored, shared, and managed in a Federal Government\nsystem. Specifically, a privacy impact assessment (1) ensures handling conforms to applicable legal, regulatory, and\npolicy requirements on privacy; (2) determines the risks and effect of collecting, maintaining, and disseminating\npersonal information; and (3) examines and evaluates protection and alternative processes for handling personal data\nto reduce potential privacy risks.\n                                                                                                                  6\n\x0cHowever, in 2007, we assessed the IRS\xe2\x80\x99 privacy requirements as poor due to the lack of\ncompliance with security policies and procedures. We issued a report in 2007 summarizing the\nresults of reviews we conducted from 2003 to 2007 that address the security of personally\nidentifiable information11. The report concludes that persistent computer security weaknesses\ncontinue to jeopardize the security of personally identifiable information, primarily because\nemployees and managers are not held accountable for implementing and complying with\napplicable IRS policies and procedures.\nSpecifically, we reported that:\n           \xe2\x80\xa2   Employees did not sufficiently safeguard laptop computers and did not encrypt data\n               on the computers.\n           \xe2\x80\xa2   Employees were susceptible to social engineering techniques that hackers could use\n               to gain access to their systems.\n           \xe2\x80\xa2   Employees continued to ignore IRS policies on the appropriate use of email, which\n               increases potential security vulnerabilities.\n           \xe2\x80\xa2   Employees with key security responsibilities continued to ignore standard security\n               configurations for their own convenience and were not held accountable for\n               complying with procedures.\n           \xe2\x80\xa2   Managers did not consistently review audit trails to identify unauthorized accesses to\n               taxpayer accounts.\n           \xe2\x80\xa2   Managers provided employees access to systems and data they do not need for their\n               job responsibilities. In many cases, managers were not aware of the access\n               capabilities of their employees.\n           \xe2\x80\xa2   The IRS and its contractors were not integrating security controls into modernized\n               computer systems.\n\n\n\n\n11\n     See Attachment II, Report 10.\n\n\n                                                                                                        7\n\x0c                                                                                                                                                   Attachment I\n\n                       Details of the TIGTA Federal Information Security Management\n\n                                                         Section C - Inspector General: Questions 1 and 2\nAgency Name: Department of the Treasury - Internal Revenue Service                                        Submission date: August 31, 2007\n                                                                     Question 1: FISMA Systems Inventory\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of\nan agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact\nlevel (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an\nagency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self\nreporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and\nservice providers have a shared responsibility for FISMA compliance.\n\n\n                                   Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of\nsystems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance\nwith policy.\n\n                                                                  Question 1                                                               Question 2\n                                                 a.                   b.                   c.                    a.                  b.                        c.\n                                           Agency Systems         Contractor        Total Number of          Number of          Number of         Number of systems for which\n                                                                   Systems             Systems            systems certified systems for which contingency plans have been tested in\n                                                                                     (Agency and           and accredited    security controls       accordance with policy\n                                                                                      Contractor                             have been tested\n                                                                                       systems)                              and reviewed in\n                                                                                                                               the past year\n\n\n                                                                                               Total\n                      FIPS 199 System                 Number          Number   Total                   Total        Percent     Total   Percent     Total\nBureau Name                               Number              Number                          Number                                                          Percent of Total\n                      Impact Level                   Reviewed        Reviewed Number                  Number        of Total   Number   of Total   Number\n                                                                                             Reviewed\nIRS                   High                       4          0        0          0        4            0\n\n                      Moderate                179         15         6          3      185         18          15      83%          5      28%          12                       67%\n                      Low                       71          2        0          0       71            2         0        0%         0        0%          2                       100%\n\n                      Not Categorized            0          0        0          0        0            0\n\n                      Sub-total               254         17         6          3      260         20          15      75%          5      25%          14                       70%\n\n\n\n\nComments: Question 2.a.- In prior years when making our assessment of the number of systems certified and accredited, we considered any system with an authorization to\noperate to be certified and accredited regardless of the quality of the process. This year, to be consistent with the Department of the Treasury Inspector General methodology, we\nconsidered the number of systems with satisfactory certifications and accreditations in making our assessment. Because we changed our methodology in addressing this issue, the\npercentage of systems with certifications and accreditations appears to have dropped from 100 percent for the FISMA 2006 reporting cylce, when in fact the number of satisfactory\ncertifications and accreditations has steadily increased since 2006. Five systems are not considered to be certified and accredited. Four of the five systems reviewed were not\ncertified following NIST guidelines and were not counted as certified and accredited. The IRS is on track to have these systems certified and accredited for the next FISMA\nreporting cycle. One of the five systems did not have a current accreditation.\n\n\n\n\nQuestion 2.b.- The IRS met annual testing requirements on only 5 (25 percent) of the 20 systems we reviewed. We consider these systems as having met the requirement\nbecause they were tested during the certification process. For those systems that were not certified during the year, annual testing was conducted; however, the testing was not in\ncompliance with NIST guidelines. See Question 5, Quality of the Certification and Accreditation process for further details. Question 2.c.-14 of 20 contingency plans were tested in\naccordance with NIST and OMB guidelines. Six contingency plans were not properly tested. All 6 were moderate impact for the availability control objective. One of the six was no\ntested at all, 2 of the 6 were tested using a tabletop exercise only, and 3 of the 6 included an insufficient functional exercise to test the backup process.\n\x0c                                               Section C - Inspector General: Question 3\nAgency Name: Internal Revenue Service\n                 Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.\n                 The agency performs oversight and evaluation to ensure information systems used or operated by a\n                 contractor of the agency or other organization on behalf of the agency meet the requirements of\n                 FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                 Agencies are responsible for ensuring the security of information systems used by a contractor of their\n                 agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\n                 the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider,\n                                                                                                                                Almost Always (96-100% of\n                 may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                                                                                                the time)\n                 Response Categories:\n                  - Rarely- for example, approximately 0-50% of the time\n                  - Sometimes- for example, approximately 51-70% of the time\n                  - Frequently- for example, approximately 71-80% of the time\n                  - Mostly- for example, approximately 81-95% of the time\n                  - Almost Always- for example, approximately 96-100% of the time\n\n\n\n                 The agency has developed a complete inventory of major information systems (including major\n      3.b.       national security systems) operated by or under the control of such agency, including an\n                 identification of the interfaces between each such system and all other systems or networks,\n                 including those not operated by or under the control of the agency.\n                                                                                                                              Inventory is 96-100%\n                 Response Categories:\n                                                                                                                              complete\n                  - The inventory is approximately 0-50% complete\n                  - The inventory is approximately 51-70% complete\n                  - The inventory is approximately 71-80% complete\n                  - The inventory is approximately 81-95% complete\n                  - The inventory is approximately 96-100% complete\n\n      3.c.       The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n                 The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                               Yes\n                 contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.       The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n                 If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n       3.f.      Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if\n                 known), and indicate if the system is an agency or contractor system.\n\n                                                                                                                                 Agency or\n                                                                                                  Exhibit 53 Unique Project\n                           Component/Bureau                          System Name                                                 Contractor\n                                                                                                       Identifier (UPI)\n                                                                                                                                  system?\n\n\n\n\n                 Number of known systems missing\n                 from inventory:\n\x0c                                                   Section C - Inspector General: Questions 4 and 5\nAgency Name: Internal Revenue Service\n                                      Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the\ndegree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include\ncomments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                  The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n       4.a.       associated with information systems used or operated by the agency or by a contractor of the    Almost Always (96-100% of the time)\n                  agency or other organization on behalf of the agency.\n                  When an IT security weakness is identified, program officials (including CIOs, if they own or\n      4.b.                                                                                                        Almost Always (96-100% of the time)\n                  operate a system) develop, implement, and manage POA&Ms for their system(s).\n                  Program officials and contractors report their progress on security weakness remediation to the\n       4.c.                                                                                                       Almost Always (96-100% of the time)\n                  CIO on a regular basis (at least quarterly).\n                  Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly\n      4.d.                                                                                                        Mostly (81-95% of the time)\n                  basis.\n\n       4.e.       IG findings are incorporated into the POA&M process.                                            Almost Always (96-100% of the time)\n\n                  POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n       4.f.                                                                                                       Almost Always (96-100% of the time)\n                  weaknesses are addressed in a timely manner and receive appropriate resources.\n                  POA&M process comments:\n\n                                           Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and standards.\nProvide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and\nInformation Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments\nand security plans.\n\n                  The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                  Response Categories:\n                   - Excellent\n       5.a.                                                                                                       Satisfactory\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n                  The IG\'s quality rating included or considered the following aspects of the C&A process: Security plan                        X\n                  (check all that apply)\n                                                                                                                 System impact level            X\n                                                                                                                 System test and evaluation     X\n                                                                                                                 Security control testing       X\n      5.b.\n                                                                                                                 Incident handling\n                                                                                                                 Security awareness training\n                                                                                                                 Configurations/patching\n                                                                                                                 Other:\n                  C&A process comments: We reviewed the certification and accreditation documentation for five systems certified and\n                  accredited during the 2007 FISMA cycle. The certifications and accreditations were in compliance with NIST guidelines. We\n                  also reviewed the annual security controls testing as part of continuous monitoring that was conducted during the 2007\n                  FISMA cycle for 15 systems. Because continuous monitoring is part of the certification and accreditation process, we\n                  included the quality of the annual testing into the overall evaluation of the certification and accreditation process. The annual\n                  testing was not in compliance with NIST guidelines. The Cybersecurity office provided system owners with a standard list of\n                  controls to test for each system. This process is not consistent with NIST guidelines, or Department of the Treasury guidance\n                  that state system owners must select an appropriate set of controls to be tested for their systems. Many of the controls\n                  required by the Cybersecurity office were not applicable to the 15 systems. As a result, the Continuous Monitoring Plans for\n                  all 15 systems included controls that were not applicable to the systems. Continuous Monitoring Plans for 5 of the 15 systems\n\x0c                                                                      Section C - Inspector General: Questions 6 and 7\nAgency Name: Internal Revenue Service\n                                         Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n        Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in Section D II.4 (SAOP reporting\n 6.a.   template), including adherence to existing policy, guidance, and standards.\n\n        Response Categories:\n         - Response Categories:                                                                                                                                                                              Satisfactory\n         - Excellent\n         - Good\n         - Satisfactory\n         - Poor\n         - Failing\n        Comments: All 20 of the sample systems reviewed have a PIA. All were timely processed. The Office of Privacy (OP) has updated their standard operating procedures for processing\n        PIA\'s, has submitted revised Internal Revenue Management guidelines for processing PIA\'s, and has updated and distributed literature on the PIA process.\n\n\n        Provide a qualitative assessment of the agency\'s progress to date in implementing the provisions of M-06-15, "Safeguarding Personally\n 6.b.   Identifiable Information" since the most recent self-review, including the agency\'s policies and processes, and the administrative, technical, and\n        physical means used to control and protect personally identifiable information (PII).\n\n        Response Categories:                                                                                                                                                                                    Poor\n         - Response Categories:\n         - Excellent\n         - Good\n         - Satisfactory\n         - Poor\n        Comments: During the past year, the IRS continued to take actions to conduct evaluations for all systems and applications that collect personal information. We determined a Privacy Impact Assessment was\n        prepared for all systems in our representative sample of 20 systems. The Office of Privacy has standard operating procedures and has submitted revised guidelines for processing Privacy Impact Assessments.\n        However, in 2007, we assessed the IRS\xe2\x80\x99 privacy requirements as poor due to the lack of compliance with security policies and procedures. We issued a report in 2007 summarizing the results of reviews we have\n        conducted from 2003 to 2007 that address the security of personally identifiable information. The report concludes that persistent computer security weaknesses continue to jeopardize the security of personally\n        identifiable information, primarily because employees and managers are not held accountable for implementing and complying with applicable IRS policies and procedures. Specifically:\n        \xe2\x80\xa2 Employees did not sufficiently safeguard laptop computers and did not encrypt data on the computers.\n        \xe2\x80\xa2 Employees were susceptible to social engineering techniques that hackers could use to gain access to their systems.\n        \xe2\x80\xa2 Employees continue to ignore IRS policies on the appropriate use of email which increases potential security vulnerabilities.\n        \xe2\x80\xa2 Employees with key security responsibilities continue to ignore standard security configurations for their own convenience and were not held accountable for complying with procedures.\n        \xe2\x80\xa2 Managers do not consistently review audit trails to identify unauthorized access to taxpayer accounts.\n        \xe2\x80\xa2 Managers provide employees access to systems and data they do not need for their job responsibilities. In many cases, managers were not aware of the access capabilities of their employees.\n        \xe2\x80\xa2 The IRS and its contractors were not integrating security controls into modernized computer systems.\n\n\n\n\n                                                                                   Question 7: Configuration Management\n        Is there an agency-wide security configuration policy? Yes or No.                                                                                                                                        Yes\n 7.a.\n        Comments:\n        Approximate the extent to which applicable information systems apply common security configurations established by NIST.\n 7.b.\n        Response categories:\n         - Rarely- for example, approximately 0-50% of the time                                                                                                                                           Frequently (71-\n         - Sometimes- for example, approximately 51-70% of the time                                                                                                                                       80% of the time)\n         - Frequently- for example, approximately 71-80% of the time\n         - Mostly- for example, approximately 81-95% of the time\n         - Almost Always- for example, approximately 96-100% of the time\n                                                                 Section C - Inspector General: Questions 8, 9, 10 and 11\nAgency Name: Internal Revenue Service\n                                                                                         Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. If\nappropriate or necessary, include comments in the area provided below.\n\n8.a. The agency follows documented policies and procedures for identifying and reporting incidents internally. Yes or No.                                                                                        Yes\n8.b. The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No. (http://www.us-cert.gov)                                                                                Yes\n8.c. The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.                                                                                                          Yes\n        Comments:\n                                                                                  Question 9: Security Awareness Training\n\nHas the agency ensured security awareness training of all employees, including contractors and those employees with significant IT security responsibilities?\n\nResponse Categories:\n                                                                                                                                                                                                          Almost Always\n - Rarely- or approximately 0-50% of employees\n                                                                                                                                                                                                          (96-100% of\n - Sometimes- or approximately 51-70% of employees                                                                                                                                                        employees)\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n\n                                                                                    Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT security awareness training, ethics training, or any other agency wide\n                                                                                                                                                                                                                 Yes\ntraining? Yes or No.\n                                                                             Question 11: E-Authentication Risk Assessments\n\nThe agency has completed system e-authentication risk assessments. Yes or No.                                                                                                                                    Yes\n\x0c                                                                             Attachment II\n\n  Treasury Inspector General for Tax Administration\n   Information Technology Security Reports Issued\n          During the 2007 Evaluation Period\n\n1. Business Cases for Information Technology Projects Remain Inaccurate\n   (Reference Number 2007-20-024, dated January 25, 2007).\n2. The Internal Revenue Service Adequately Protected Sensitive Data and Restored Computer\n   Operations After the Flooding of Its Headquarters Building (Reference\n   Number 2007-20-023, dated January 26, 2007).\n3. The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop\n   Computers and Other Portable Electronic Media Devices (Reference Number 2007-20-048,\n   dated March 23, 2007).\n4. The Background Investigation Process Needs Improvements to Ensure Investigations Are\n   Completed Timely and Efficiently (Reference Number 2007-20-059, dated March 28, 2007).\n5. Sensitive Data Remain at Risk From the Use of Unauthorized Wireless Technology\n   (Reference Number 2007-20-060, dated March 28, 2007).\n6. Sufficient Emphasis Was Not Placed on Resolving Security Vulnerabilities When Restoring\n   the Electronic Fraud Detection System (Reference Number 2007-20-108,\n   dated June 14, 2007).\n7. Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12\n   Requirements (Reference Number 2007-20-110, dated June 20, 2007).\n8. Network Devices Are Running Unnecessary Communication Services Which Could Expose\n   Sensitive Data to Unauthorized Individuals (Reference Number 2007-20-104,\n   dated July 9, 2007).\n9. Employees Continue to Be Susceptible to Social Engineering Attempts That Could Be Used\n   by Hackers (Reference Number 2007-20-107, dated July 20, 2007).\n10. Efforts Have Been Made, but Manager and Employee Noncompliance With Security Policies\n    and Procedures Puts Personally Identifiable Information at Risk (Reference\n    Number 2007-20-117, dated August 13, 2007).\n11. Standard Database Security Configurations Are Adequate, Although Much Work Is Needed\n    to Ensure Proper Implementation (Reference Number 2007-20-129, dated August 22, 2007).\n12. Insufficient Attention Has Been Given to Ensure States Protect Taxpayer Information\n    (Reference Number 2007-20-134, dated August 31, 2007).\n\n\n\n\n                                                                                          Page 18\n\x0c'